Step 3: Protect Communications Between Exchange Server 2007 and Windows Mobile Devices

  • Article

6/2/2010

Follow these steps to help protect communications between your Exchange Client Access Server and Windows Mobile 6 devices:

  • Deploy SSL to encrypt messaging traffic.
  • Enable SSL on the default Web site.
  • Configure basic authentication for the Exchange ActiveSync virtual directory.
  • Protect IIS by limiting potential attack surfaces.

See Best Practices for Mobile Messaging Deployment in this guide for more information about authentication and certification.

Deploy SSL to Encrypt Messaging Traffic

To help protect incoming and outgoing e-mail, deploy SSL to encrypt message traffic. You can configure SSL security features on an Exchange server to verify the integrity of content, to verify the identity of users, and to encrypt network transmissions.

The following steps show how to configure SSL for Exchange ActiveSync:

  1. Obtain and install a server certificate
  2. Validate the installation
  3. Back up the server certificate
  4. Enable SSL for the Exchange ActiveSync virtual directory

Note

To perform the following procedures, you must be a member of the Administrators group on the local computer, or you must have been delegated the appropriate authority. As a security best practice, log on to your computer using an account that is not in the Administrators group, and then use the Run as command to run IIS Manager as an administrator. From the command prompt, type the following command:runas /user:administrative_accountname "mmc%systemroot%\system32\inetsrv\iis.msc"

Obtain and Install a Server Certificate

Follow these directions to obtain a server certificate, install it, verify the installation, and back it up. When you use the Web Server Certificate Wizard to obtain and install a server certificate, the process is referred to as creating and assigning a server certificate.

To obtain a server certificate from a Certification Authority

  1. Log on to the Exchange server using an Administrator account.

  2. Click Start, click Programs, click Administrative Tools, and then click Internet Information Services (IIS) Manager.

  3. Double-click the ServerName to view the Web sites. Right-click Default Web Site, and then click Properties.

  4. Click to select the Directory Security tab. The following illustration shows the IIS Manager window and the Directory Security tab. Under Secure Communications, click Server Certificate.

  5. In the Welcome Web Server Certificate Wizard dialog box, click Next, click Create a new certificate, and then click Next.

  6. Click Prepare the request now, but send it later, and then click Next.

  7. In the Name and Security Settings dialog box, type a name for your server certificate (for example, type <Exchange_Server_Name>), click Bit length of 1024, and then click Next. The following illustration shows the Name and Security Settings dialog box.

Note

Ensure that Select cryptographic service provider is not selected.

  1. In the Organization Information dialog box, type a name in the Organizationtext box (for example, type <Company_Name>) and in the Organizational unit text box (for example, type <IT Department>), and then click Next.

  2. In the Your Site’s Common Name dialog box, type the fully qualified domain name of your server or cluster for Common name (for example, type <webmail.mycompany.com>), and then click Next. This will be the domain name that your client mobile devices will access.

  3. In the Geographical Information dialog box, click Country/region (for example, US), State/province (for example, <State>) and City/locality (for example, <City>), and then click Next.

  4. In the Certificate Request Filename dialog box, keep the default of C:\NewKeyRq.txt (where C: is the location where your OS is installed), and then click Next.

  5. In the Request File Summary dialog box, review the information and then click Next. The following illustration shows an example of a Request File Summary.

  6. You should receive a success message when the certificate request is complete. Click Finish.

Next, you must request a server certificate from a valid Certification Authority. To do this, you must access the Internet or an intranet, depending on the Certification Authority that you choose, using a properly configured Web browser.

The steps detailed here are for accessing the Web site for your Certification Authority. For a production environment, you will probably request a server certificate from a trusted Certification Authority over the Internet.

To submit the certificate request

  1. Start Microsoft Internet Explorer. Type the Uniform Resource Locator (URL) for the Microsoft Certification Authority Web site, http://<server_name>/certsrv/. When the Microsoft CA Web site page displays, click Request a Certificate, and then click Advanced Certificate Request.

  2. On the Advanced Certificate Request page, click Submit a certificate request by using a base-64 encoded PKCS#10 file, or submit a renewal request by using a base-64 encoded PKCS #7 file.

  3. On your local server, navigate to the location of the C:\NewKeyRq.txt file that you saved previously.

  4. Double-click to open the C:\NewKeyRq.txt file in Notepad. Select and copy the entire contents of the file.

  5. On the Certification Authority Web site, navigate to the Submit a Certificate Request page. If you are prompted to pick the type of certificate, select Web Server. The following illustration shows an example of a Submit a Certificate Request page.

  6. Click inside the Saved Request box, paste the contents of the file into the box, and then choose Submit. The content of the Saved Request dialog box should look similar to the following example:

    -----BEGIN NEW CERTIFICATE REQUEST-----

    MIIDXzCCAsgCAQAwgYMxLDAqBgNVBAMTI2toYWxpZHM0LnJlZG1vbmQuY29ycC5

    taWNyb3NvZnQuY29tMREwDwYDVQQLEwhNb2JpbGl0eTEMMAoGA1UEChMDTVRQ

    MRAwDgYDVQQHEwdSZWRtb25kMRMwEQYDVQQIEwpXYXNoaW5ndG9uMQswCQ

    YDVQQGEwJVUzCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEAs0sV2UZ1WAX2

    ou+F5S34+6M3A32tJ5qp+c7zliu4SMkcgebhnt2IMMeF5ZMD2IqfhWu49nu1vLtGH

    K5wWgHYTC3rTFabLZJ1bNtXKB/BWWOsmSDYg/A7+oCZB4rHJmpc0Yh4OjbQKkr6

    4KM67r8jGEPYGMAzf2DnUg3xUt9pbBECAwEAAaCCAZkwGgYKKwYBBAGCNw0CAz

    EMFgo1LjAuMjE5NS4yMHsGCisGAQQBgjcCAQ4xbTBrMA4GA1UdDwEB/wQEAwIE8

    DBEBgkqhkiG9w0BCQ8ENzA1MA4GCCqGSIb3DQMCAgIAgDAOBggqhkiG9w0DBAI

    CAIAwBwYFKw4DAgcwCgYIKoZIhvcNAwcwEwYDVR0lBAwwCgYIKwYBBQUHAwEw

    gf0GCisGAQQBgjcNAgIxge4wgesCAQEeWgBNAGkAYwByAG8AcwBvAGYAdAAgAFI

    AUwBBACAAUwBDAGgAYQBuAG4AZQBsACAAQwByAHkAcAB0AG8AZwByAGEAcA

    BoAGkAYwAgAFAAcgBvAHYAaQBkAGUAcgOBiQCO5g/Nk+lsuAJZideg15faBLqe4jiiy

    tYeVBApxLrtUlyWEQuWdPeEFv0GWvsjQGwn+WC5m9kVNmcLVsx41QtGDXtuETFO

    D6dSi/M9wmEy8bsbcNHXs+sntX56AcCxBXh1ALaE4YaE6e/zwmE/0/Cmyje3a2olE

    5rlk1FFIlKTDwAAAAAAAAAAMA0GCSqGSIb3DQEBBQUAA4GBAAr7zjg2ykZoFUYt1

    +EgK106jRsLxJcoqj0oEg575eAlUgbN1e2i/L2RWju7cgo9W7uwwpBIaEqd6LJ6s1BR

    pZz0yeJTDzGIXByG5O6kouk+0H+WHCj2yI30zik8aSyCQ3rQbNvHoURDmWqv9Rp

    1BDC1SNQLEzDgZjKPrsGZAVLb

    -----END NEW CERTIFICATE REQUEST-----

  7. On the Certificate Issued page, click DER encoded, and then click Download certificate.

  8. In the File Download dialog box, click Save this file to disk, and then click OK. Keep the default setting to save the file to the desktop, and click Save.

  9. Close Internet Explorer.

At this point, a server certificate exists on your desktop that can be imported into the Exchange server certificate store. Next, you must install the certificate.

To install the server certificate

  1. Start Internet Information Service (IIS) Manager and expand <DomainName>

  2. Right-click Default Web Site and then click Properties. In the Properties dialog box, select the Directory Security tab. Under Secure Communication, click Server Certificate.

  3. In the Certificate Wizard dialog box, click Next.

  4. Select Process the Pending Request and install the certificate. Click Next.

  5. Navigate to, or type, the location and file name for the file containing the server certificate, certnew.txt, that is located on the desktop, and then click Next.

  6. Select the SSL port that you wish to use. Microsoft recommends that you use the default SSL port, which is Port 443.

  7. In the Certificate Summary Information dialog box, click Next, and then click Finish.

Validate the Installation

To verify the installation, view the server certificate.

To view the server certificate

  1. In the Default Web Site Properties dialog box, click Directory Security. Under Secure Communications, select View Certificate. The following illustration shows the Certificate dialog box.

  2. At the bottom of the Certificate dialog box, a message indicates that a private key is installed, if appropriate. Click OK to close the Certificate dialog box.

Note

If the certificate does not show that the device carries the private key that corresponds to the certificate, over-the-air synchronization will not work.

For authentication to function, you must add the Certification Authority to the trusted root Certification Authority list.

To add a Certification Authority to the trusted root Certification Authority list

  1. Start Internet Explorer and type the URL for your Certificate Authority. For example, if you received your server certificate from the Certification Authority that you configured earlier, type http://<server_name>/certsrv.

  2. Click Download a CA certificate, certificate chain, or CRL, and then on the following page click Download CA certificate. In the File download dialog box, click Save this file to disk, and then click OK.

  3. Type a server certificate Name (for example, <certnewca.cer>) and then save the file to the desktop.

  4. Navigate to the desktop. Right-click on the file that you created in step 3, and then click Install Certificate. In the Certificate Import Wizard dialog box, click Next.

  5. Click Place all certificates in the following store, and then click Browse. Select the Trusted Root Certification Authorities folder, and then click OK. The following illustration shows the Select Certificate Store dialog box.

Note

You may use the Intermediate Certificate Authorities instead of the Trusted Root Certificate Authorities.

![](images\Cc182245.683571a1-2f4e-458e-9dae-4ae697378d73(en-us,TechNet.10).gif)
  1. Click Next. A dialog box stating that the certificate is being added to the trusted certificate store appears; click Yes to close this dialog box. Click Finish, and the message import successful displays.

Back up the Server Certificate

You can use the Web Server Certificate Wizard to back up server certificates. Because IIS works closely with Windows, you can use Certificate Manager, which is called Certificates in the Microsoft Management Console (MMC), to export and to back up your server certificates.

If you do not have Certificate Manager installed in MMC, you must add Certificate Manager to MMC.

To add Certificate Manager to MMC

  1. From the Start menu, click Run.

  2. In the Open box, type mmc, and then click OK.

  3. On the File menu, click Add/Remove Snap-in.

  4. In the Add/Remove Snap-in dialog box, click Add.

  5. The following illustration shows the Add/Remove Snap-in and AddStandalone Snap-in dialog boxes. In the Available Standalone Snap-ins list, click Certificates, and then click Add.

  6. Click Computer Account, and then click Next.

  7. Click theLocal computer (the computer that this console runs on) option, and then click Finish.

  8. Click Close, and then click OK.

With Certificate Manager installed, you can back up your server certificate.

To back up your server certificate

  1. Locate the correct certificate store. This store is typically the Local Computer store in Certificate Manager.

Note

When you have Certificate Manager installed, it points to the correct Local Computer certificate store.

  1. In the Personal store, click the server certificate that you want to back up.

  2. On the Action menu, point to All tasks, and then click Export.

  3. In the Certificate Manager Export Wizard, click Yes, export the private key.

  4. Follow the wizard default settings, and when prompted type a password for the server certificate backup file.

Note

Do not select Delete the private key if export is successful, because this option disables your current server certificate.

  1. Complete the wizard to export a backup copy of your server certificate.

After you configure your network to issue server certificates, you must update your Exchange Client Access server and its services by requiring SSL communication with the Exchange Client Access server. The following section describes how to enable SSL for your default Web site.

Enable SSL for the Default Web Site

After you obtain an SSL certificate to use with either your Exchange Client Access server on the default Web site or on the Web site where you host the \Exchange, \Exchweb, \Microsoft-Server-ActiveSync, and \Public virtual directories, you can enable the default Web site to require SSL.

Note

The \Exchange, \Exchweb, \Microsoft-Server-ActiveSync, and \Public virtual directories are installed by default during any Exchange Server 2007 installation. The \RPC virtual directory for RPC over HTTP communication is installed manually when you configure Exchange Server 2007 to support RPC over HTTP.

To require SSL on the default Web site

  1. In the Internet Information Services (IIS) Manager, select the DefaultWeb site or the Web site where you are hosting your Exchange Server 2007 services, and then click Properties.

  2. On the Directory Security tab, in the Secure Communications box, click Edit.

  3. The following illustration shows the Secure Communications dialog box. Click the Require Secure Channel (SSL) check box. Click OK.

  4. Depending on your installation, the Inheritance Overrides dialog box may appear. Select the virtual directories that should inherit the new setting, for example Microsoft-Server-ActiveSync, and then click OK.

  5. On the Directory Security tab, click OK.

After you complete this procedure, the virtual directories on the Exchange Client Access server that is on the default Web site are configured to use SSL.

Configure Basic Authentication

The Exchange ActiveSync Web site supports SSL connections as soon as the server certificate is bound to the Web site. However, users still have the option of connecting to the Exchange ActiveSync Web site using a non-secure connection. You can require all client Windows Mobile 6 powered devices to successfully negotiate an SSL link before connecting to Exchange ActiveSync Web site directories.

Microsoft recommends that you enforce basic authentication on all HTTP directories that the ISA server makes accessible to external users. In this way, you can take advantage of the ISA server feature that enables the relay of basic authentication credentials from the firewall to the Exchange ActiveSync Web site.

Require SSL Connection to the Exchange ActiveSync Web Site Directories

This step helps prevent non-authenticated communications from reaching the Exchange ActiveSync Web site.

You can repeat these steps with the /Exchange, /Exchweb, and /Public directories found in the left pane of the IIS MMC console. This can be done to require SSL on the four Web site directories that you can make accessible to remote users:

  • /Exchange
  • /ExchWeb
  • /Microsoft-Server-ActiveSync
  • /Public

To require an SSL connection to the Exchange ActiveSync Web site directories

  1. Click Start, point to Administrative Tools and then click InternetInformation Services (IIS) Manager. In Internet Information Services(IIS) Manager, expand your server name and then expand the Default Web Site node in the left pane of the console.

  2. Right-click on the Microsoft-Server-ActiveSync directory so that it is highlighted, and then click Properties.

  3. Click Directory Security. In the Authentication and access control frame, click Edit.

  4. The following illustration shows the Authentication Methods dialog box. Click to clear all check boxes except for the Basic authentication (password is sent in clear text) check box. Place a check mark in the Basic authentication check box.

  5. Click Yes in the dialog box that warns you that the credentials should be protected by SSL. In the Default domain text box, type in your domain name.

  6. Click OK.

  7. In the Exchange Properties dialog box, click Apply, and then click OK.

  8. After you have required basic authentication on the directories you have chosen, close the Internet Information Services (IIS) Manager console.

Configure or Update RSA SecurID Agent (Optional)

If you have chosen to deploy RSA SecurID as an additional security layer, you should set up your Exchange server as an Agent Host within the RSA ACE/Server’s database.

Note

There have been timing limitations between IIS 6.0 and the RSA/ACE Agent. Be sure to update your RSA/ACE Agent for better compatibility with IIS 6.0. For more information, see the RSA Security Web site.

Protect IIS by Limiting Potential Attack Surfaces

Before you expose servers to the Internet, Microsoft recommends that you help protect IIS by turning off all features and services except those that are required.

  • In Windows Server 2003, IIS features are disabled by default to help improve security.
  • In Microsoft Windows Server 2000, you can help protect IIS by downloading and running the IIS Lockdown Wizard and the UrlScan tool, as described below.

Windows Server 2003 SP2 and IIS 6.0

Microsoft Windows Server 2003 has many built-in features that help secure IIS 6.0 servers. To help protect against malicious users and attackers, the default configuration for members of the Windows Server 2003 family does not include IIS. When IIS is installed, it is configured in a highly secure, "locked down" mode that allows only static content. By using the Web Service Extensions feature, you can enable or disable IIS-specific functionality based on the exact needs of your organization.

For more information, see "Reducing the Attack Surface of the Web Server" (IIS 6.0) in the IIS Deployment Guide, at https://go.microsoft.com/fwlink/?LinkId=67608.

Using UrlScan

UrlScan version 2.5 is a security tool that helps restrict the types of HTTP requests that Internet Information Services (IIS) will process. By blocking specific HTTP requests, the UrlScan security tool helps prevent potentially harmful requests from reaching the server. UrlScan 2.5 will now install as a stand-alone installation on servers running Microsoft IIS 4.0 and later.

UrlScan 2.5 is not included with IIS 6.0 because IIS 6.0 has built-in features that provide security functionality equal to or better than most of the features of UrlScan 2.5. However, UrlScan provides some additional functionality, such as verb control, beyond what IIS 6.0 provides. If you have incorporated the UrlScan security tool into your server management practices for IIS and for other Microsoft servers, you may want to utilize the additional functionality and features of UrlScan 2.5.

To download the UrlScan security tool, visit the UrlScan Security Tool Web site at https://go.microsoft.com/fwlink/?LinkID=89648.

For more information about the UrlScan and functionality beyond what is provided by IIS 6.0, see "Determining Whether to Use UrlScan 2.5 with IIS 6.0" on the UrlScan Security Tool Web site.